Keep your data safe by following the Password Commandments

Ten rules for crafting and managing strong passwords that you don’t have to worry about forgetting.

Your first–and sometimes only–line of PC defense is your password. Even the most carefully crafted password can be rendered useless if you don’t keep it secret. This is not such an easy thing to do, especially considering all the clever tricks data thieves have come up with to grab it, with or without your knowledge. More dangerous is the lackadaisical approach many people take to creating, using, and protecting their passwords. Here are 10 ways to use passwords to best effect.

1: Don’t write it down. Ever. Either it will be so easy to find that you might as well not use any password at all, or you’ll forget where you put it and somebody else will find it and use it to access your system. You may think your password is safe on that sticky note inside the third appendix of “Mastering OS/2, Second Edition,” but that’s the first place your larcenous pet walker will look (apologies in advance to all pet walkers for disparaging their noble profession).

2: Devise a password-creating system that’s all yours. There are dozens, hundreds, maybe even thousands of Web pages and other resources offering advice on how to craft strong passwords. Of course, these are the first places the people in the business of cracking passwords look for tips. It’s not difficult to come up with your own system that combines a variety of methods. One possibility is to start by reversing an inactive phone number from your past, then convert the numbers to letters, so “213-555-1212: would become “bm-eee-ll” (remove the hyphens, if you wish). Make it even stronger by adding the street name of your childhood home converted from letters to numbers, which would change “Maple” into “13-1-15-12-5”. Now really mix things up by placing the numbers inside the letters: “bme13115125eell”.

The benefits of having your own system over using a random password generator is memorability: If you remember your system, you’ll look at the above sequence and see the phone number and street name, not just the actual letters and numbers. No, I won’t tell you the password-creation system(s) I use, but they don’t have anything to do with old phone numbers or street names. Honest.

3: Don’t send your password via e-mail or give it out over the phone. OK, there are exceptions to this “rule,” such as when your company’s help-desk staff are troubleshooting your system over the phone, but even in those rare instances, it’s a good idea to change your password immediately after you give it out (see more on changing your password below).

4: Disable AutoComplete for user names and passwords. Yes, this feature of Internet Explorer,Firefox, and other browsers can save you time when you’re online, but it also lets anyone who gains access to your Windows login, or to your PC when you’re logged in but away, to visit all the secured sites in its database, change the passwords, and otherwise act in ways you may not appreciate. To disable this feature in IE, click Tools > Internet Options > Content, and choose the Settings button in the AutoComplete section. Uncheck User names and passwords on forms (you may also want to uncheck the other two AutoComplete options: Web addresses and Forms). Click OK, and then choose the General tab, and click Delete > Delete Passwords (and any other options, or Delete all to wipe your browser clean). Click Close and OK.

5: Change your password often. Even if you haven’t had reason to share it recently (as mentioned above), get into the habit of refreshing stale passwords. The more important the data your password protects, the more often you should update it. One way to force yourself to change your Windows login password is by using the password options in Local Security Policy (it’s called “Local Security Settings” in Windows XP). In XP, click Start > Run, type secpol.msc, and press Enter. In Vista, press the Windows key, type secpol.msc, and press Enter. In both versions, select Password Policy under Account Policies. Double-click Maximum password age in the right pane, enter the number of days you want to go between passwords, and click OK. The other options in this dialog box let you enforce password history, set a minimum password age or length, require that the password meet Windows’ complexity requirements, and store encrypted passwords.

Force Windows to require a new login password after a set number of days via the Local Security Policy dialog box.

6: Clear the cache after using a public PC. If you log into a Web site from a PC other than your own, make sure you wipe out all traces of your use by deleting the browser’s personal data. See the steps described in “Disable AutoComplete for user names and passwords” above.

Note that many public PCs reset to the defaults as soon as you log out, but don’t trust them. In fact, it’s good practice to change your passwords whenever you use them in a public setting, even on your own laptop after attending a conference or other event, for example. Snoops love to hang out at such places, whether using a keystroke logger, or simply looking over your shoulder as you log in.

7: If it’s too valuable to lose, don’t keep it on your PC. If you just discovered the secret to changing marshmallows into gold, you may not want to trust the formula to any hard drive, whether or not it’s password-protected, or connected to a network at all. In addition to the threat of data-crackers, the drive could fail, leaving your fate in the hands of some data-recovery service. If you have to store a digital copy of some important file, place it on an optical disc designed specifically for archiving, and store that disc in a safe place, such as a bank deposit box. And–of course–make a copy that you store in a separate, secure location. When optical drives are replaced by some new-fangled storage medium, copy the data to a secure version of that medium, but you probably don’t have to worry about this for at least a couple of years.

8: Create a password-reset disk. It doesn’t have to be a floppy, which is a good thing since few new PCs even have floppy-disk drives. But a reset disk is the best protection against a bad memory–yours more likely than the computer’s. Log into the account you want to protect, open Control Panel’s User Accounts applet, select the account, and in XP, click Prevent a forgotten password in the left pane. In Vista, click Create a password reset disk in the left pane. Step through the Forgotten Password Wizard, selecting the removable medium of your choice when prompted. Label the removable device appropriately, and store it somewhere safe but easy to remember. It’s one thing to forget your password, but quite another to forget where you put your password reset disk.

9: Use a password-management utility. I hesitate to rely on a third party to protect my passwords, but one that has been around for a long time is RoboForm, which comes in free and $30 Pro versions.

10: Ask for some help to reset your password. If you’ve forgotten your password and don’t have a password-reset disk handy, log onto another administrator account on the system, open the User Accounts applet in Control Panel, click Change an account in XP, or Manage another account in Vista, select the account, and change the password. A couple of weeks ago I described how to activate Vista’s hidden administrator account.

You can also change the password by booting from your XP install CD and running the Repair option. Vic Ferri provides step-by-step instructions.

CED Solutions is a Microsoft Gold Learning Partner and the #1 location for Microsoft Certifications in North America. CED Solutions is a Platinum CompTIA Partner and is one of the largest providers of training in North America. The Atlanta facility provides training for up to 490 students per day, with three buildings dedicated to training. CED Solutions provides training for up to 10,000 students per year and students take up to 800 certification exams every two weeks.